General
-
Target
fe53a72b7153804b22dc7a805f21db4f_JaffaCakes118
-
Size
412KB
-
Sample
240929-mfpclszenr
-
MD5
fe53a72b7153804b22dc7a805f21db4f
-
SHA1
5160de169967993052cefa355f830411d0281216
-
SHA256
079e3875726e57824b5357583a9ba746c5775a60c6355f5cced8024652817699
-
SHA512
ac3327c6c101ac517c716f5d5f6d4d336f37416480710133e14b5cc38f1b31d5728936c24fdbe5eca8ded601591df66ebd35889d28346ccd8dc3dcb4798a9578
-
SSDEEP
12288:RQp9NlgvmmR72pz33QoqzranOiu+tu9RuQiXlNv:6phgvmmB2pz3DpOiuMunuQi3
Malware Config
Extracted
netwire
top.westover.xyz:4590
-
activex_autorun
true
-
activex_key
{803GTO4N-ENS6-08FV-IL8I-U12VW8O81OU2}
-
copy_executable
false
-
delete_original
false
-
host_id
ACALYS-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
WDqjVsjL
-
offline_keylogger
true
-
password
252522
-
registry_autorun
true
-
startup_name
printer
-
use_mutex
true
Targets
-
-
Target
fe53a72b7153804b22dc7a805f21db4f_JaffaCakes118
-
Size
412KB
-
MD5
fe53a72b7153804b22dc7a805f21db4f
-
SHA1
5160de169967993052cefa355f830411d0281216
-
SHA256
079e3875726e57824b5357583a9ba746c5775a60c6355f5cced8024652817699
-
SHA512
ac3327c6c101ac517c716f5d5f6d4d336f37416480710133e14b5cc38f1b31d5728936c24fdbe5eca8ded601591df66ebd35889d28346ccd8dc3dcb4798a9578
-
SSDEEP
12288:RQp9NlgvmmR72pz33QoqzranOiu+tu9RuQiXlNv:6phgvmmB2pz3DpOiuMunuQi3
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1